From owner-freebsd-questions@FreeBSD.ORG Tue Jun 23 08:39:50 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 315D11065670 for ; Tue, 23 Jun 2009 08:39:50 +0000 (UTC) (envelope-from mail25@bzerk.org) Received: from ei.bzerk.org (tunnel490.ipv6.xs4all.nl [IPv6:2001:888:10:1ea::2]) by mx1.freebsd.org (Postfix) with ESMTP id 950EE8FC1C for ; Tue, 23 Jun 2009 08:39:49 +0000 (UTC) (envelope-from mail25@bzerk.org) Received: from ei.bzerk.org (BOFH@localhost [127.0.0.1]) by ei.bzerk.org (8.14.2/8.14.2) with ESMTP id n5N8dV6R091240; Tue, 23 Jun 2009 10:39:31 +0200 (CEST) (envelope-from mail25@bzerk.org) Received: (from bulk@localhost) by ei.bzerk.org (8.14.2/8.14.2/Submit) id n5N8dUbj091239; Tue, 23 Jun 2009 10:39:30 +0200 (CEST) (envelope-from mail25@bzerk.org) Date: Tue, 23 Jun 2009 10:39:30 +0200 From: Ruben de Groot To: Dan Nelson Message-ID: <20090623083930.GA90810@ei.bzerk.org> Mail-Followup-To: Ruben de Groot , Dan Nelson , Norbert Papke , freebsd-questions@freebsd.org References: <20090622112607.GA80249@ei.bzerk.org> <200906220845.23920.npapke@acm.org> <20090622171516.GA82862@ei.bzerk.org> <20090622223556.GC76275@dan.emsphone.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20090622223556.GC76275@dan.emsphone.com> User-Agent: Mutt/1.4.2.3i X-Spam-Status: No, score=-4.4 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on ei.bzerk.org X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.0.1 (ei.bzerk.org [127.0.0.1]); Tue, 23 Jun 2009 10:39:35 +0200 (CEST) Cc: Norbert Papke , freebsd-questions@freebsd.org Subject: Re: slowloris, accf_http and POST requests X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Jun 2009 08:39:50 -0000 On Mon, Jun 22, 2009 at 05:35:56PM -0500, Dan Nelson typed: > In the last episode (Jun 22), Ruben de Groot said: > > > > My main concern here is if applying the trivial patch I posted would break > > anything in the http protocol layer. And if not, why isn't the POST method > > included in the http accept filter in the first place? > > The filter wasn't designed to be an anti-DOS tool; it was an optimization to > save some context switches at the beginning of every request. POSTs are I know this. But in this particular case, it *works* as an anti-DOS tool. And a pretty good one too. > infrequent, always include extra trailing data after the headers, and end up > doing more processing at the server end than plain GET or HEADs, so > buffering the first line of the request doesn't really help much. Well, it helps against this slowloris script. And I don't see it costing much. > You're better off adding a request-max-time limit to your webserver, or > doing random-drops of existing connections if you get close to your fd or > thread limit. I'm exploring these options as well, but they have their own drawbacks. Anyway, since it doesn't look like I'm breaking anything by buffering the POST headers, I'm gonna maintain this as a local patch until something better comes along. Thanks for your input, Ruben